Wireless Access

Reply
MVP
Posts: 501
Registered: ‎04-03-2007

MacOS system profile for 802.1X?

Hi! I'm working with my Active Directory team to try and push a computer certificate to an OSX machine along with a system (not user) profile. With such a configuration, the laptop should be able to authenticate upon booting up before a user logs into the machine.

 

Has anyone successfully done this? If so, can you be specific and explain how you did this and what tools were required to make it happen?

 

Much appreciated!

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: MacOS system profile for 802.1X?

You can do this with Apple Configurator or Profile Manager.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 501
Registered: ‎04-03-2007

Re: MacOS system profile for 802.1X?

Profile Manager can't distribute the computer certificates though, right?

I'm also looking for folks that have not only built this but have also sustained operations of it successfully and happily, fwiw.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: MacOS system profile for 802.1X?

Profile Manager pushes the profiledown(s) to the client or user profile. The profile can have a certificate enrollment configuration.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 501
Registered: ‎04-03-2007

Re: MacOS system profile for 802.1X?

I believe that is based on a user enrollment, no? We need to have no tie-in with the user account.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: MacOS system profile for 802.1X?

Are the machines joined to the domain?

Take a look at this:

http://kevinbecker.org/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 501
Registered: ‎04-03-2007

Re: MacOS system profile for 802.1X?

Closing the loop, we ended up using Centrify to manage group policy on our OSX machines. The mobileconfig profile sent to the device was set for EAP-TLS and also included *all* the certificates, including the root (marked as trusted). Doing it this way auto-associated the device's certificate (also received via Centrify) with the mobileconfig profile.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: